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AMENDMENTS TO THE CLAIMS 

1. (Currently amended) A method, comprising the computer-implemented steps of: 
in a security controller that is coupled, through a network, to a network device; 
determining a user identifier associated with a -the network device that has caused a 

security event in a -the network; 
causing the network device to receive acquire a new network address that is selected from 
a subset of addresses within a specified pool associated with suspected malicious 
network users; and 

configuring one or more security restrictions with respect to the selected network address. 

2. (Original) A method as recited in Claim 1 , further comprising the steps of: 
receiving information identifying the security event in the network; 

correlating the security event information with network user information to result in 
determining the user identifier associated with the network device. 

3. (Currently amended) A method as recited in Claim 1, wherein the network device uses 
dynamic host control protocol (DHCP) to obtain the network address, and wherein the 
step of causing the network device to receive a acquire the new network address 
comprises resetting a port that is coupled to the network device to prompt a user to 
command the network device to request a new network address using DHCP. 

4. (Currently amended) A method as recited in Claim 1, wherein the network device uses 
dynamic host control protocol (DHCP) to obtain the network address, and wherein the 
step of causing the network device to receive a acquire the new network address 
comprises issuing a DHCP FORCE_RENEW message to the network device. 

5. (Currently amended) A method as recited in Claim 1, wherein the network device uses 
dynamic host control protocol (DHCP) to obtain the network address, and wherein the 
step of causing the network device to receive a acquire the new network address 
comprises prompting the network device to request a new network address using DHCP. 
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6. (Currently amended) A method as recited in Claim 1, wherein the network device uses 
dynamic host control protocol (DHCP) to obtain the network address, and wherein the 
step of causing the network device to receive a acquire the new network address 
comprises waiting for expiration of a lease for a current network address of the network 
device. 

7. (Currently amended) A method as recited in Claim 1, wherein the step of causing the 
network device to receive a acquire the new network address comprises the step of 
providing the network device with an IP address that is selected from a plurality of IP 
addresses within a special IP subnet. 

8. (Original) A method as recited in Claim 7, further comprising the step of publishing 
information describing characteristics of the special IP subnet to network service 
providers. 

9. (Original) A method as recited in Claim 1, wherein the step of configuring security 
restrictions comprises the steps of modifying an internet protocol (IP) access control list 
(ACL) associated with a port that is coupled to the network device to permit entry of IP 
traffic from only the selected network address. 

10. (Original) A method as recited in Claim 1, wherein the step of configuring security 
restrictions comprises the steps of modifying a media access control (MAC) ACL 
associated with a port that is coupled to the network device to permit entry of traffic only 
for a MAC address that is bound to the selected network address. 

11. (Original) A method as recited in Claim 1, further comprising the steps of determining 
whether a malicious act caused the security event, and if so, providing information about 
the security event or malicious act to a security decision controller. 
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12. (Original) A method as recited in Claim 1, further comprising the steps of determining 
whether a malicious act caused the security event, and if not, removing the user from the 
elevated risk group. 

13. (Original) A method as recited in Claim 1, further comprising the steps of determining 
whether a malicious act caused the security event, wherein a legal user action in the 
network is not determined to be a malicious act if the user is associated with a trusted 
customer of a network service provider. 

14. (Currently amended) A method, comprising the computer-implemented steps of: 
in a security controller that is coupled, through a network, to a network device; 
receiving information identifying a security event in a-the network; 

correlating the security event information with network user information to result in 

determining a network user associated with the network device r that caused the 
security event; 

placing the user in an elevated risk security group by causing the network device to 

acquire a new network address that is selected from a subset of addresses within a 
specified pool associated with suspected malicious network users ; 

configuring one or more security restrictions with respect to the selected network address; 

determining whether a malicious act caused the security event; 

if a malicious act caused the security event, then providing information about the security 

event or malicious act to a security decision controller; 
if a malicious act did not cause the security event, then removing the user from the 

elevated risk group. 

15. (Currently amended) A method as recited in Claim 14, wherein placing the user identifier 
in an elevated risk security group further comprises the step of forcing the user- device to 
acquire a -the new network address from a specified group of network addresses that is 
reserved for users associated with elevated user risk^ 
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16. (Currently amended) A method as recited in Claim 15, wherein forcing the user to 
acquire a -the new network address comprises the steps of: 

re-configuring a dynamic host control protocol (DHCP) server to require said server to 
issue any new network address to the network device only from a specified group 
of network addresses that is reserved for users associated with elevated user risk; 

performing any one of the steps of: 

(a) resetting a port that is coupled to the network device to trigger the network device 
to request a new network address using DHCP; 

(b) issuing a DHCP FORCE_RENEW message to the network device; 

(c) prompting the network device to request a new network address using DHCP; 

(d) waiting for expiration of a lease for a current network address of the network 
device. 

17. (Original) A method as recited in Claim 14, wherein the step of configuring one or more 
security restrictions comprises the steps of: 

modifying an internet protocol (IP) access control list (ACL) associated with a port that is 
coupled to the network device to permit entry of IP traffic from only the selected 
network address; 

modifying a media access control (MAC) ACL associated with the port to permit entry of 
traffic only for a MAC address that is bound to the selected network address. 

18. (Currently amended) A computer- readable medium carrying one or more sequences of 
instructions, which instructions, when executed by one or more processors, cause the one 
or more processors to carry out the steps of: 

in a security controller that is coupled, through a network, to a network device; 
determining a user identifier associated with a -the network device that has caused a 

security event in a-the network; 
causing the network device to receive acquire a network address that is selected from a 

subset of addresses within a specified pool associated with suspected malicious 

network users; and 
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configuring one or more security restrictions with respect to the selected network address. 

19. (Currently amended) An apparatus, comprising: 

in a security controller that is coupled, through a network, to a network device; 
means for determining a user identifier associated with a- the network device that has 

caused a security event in a-the network; 
means for causing the network device to receive acquire a network address that is selected 

from a subset of addresses within a specified pool associated with suspected 

malicious network users; and 
means for configuring one or more security restrictions with respect to the selected 

network address. 

20. (Currently amended) An apparatus, comprising: 

a network interface that is coupled to a data network for receiving one or more packet flows 

therefrom; 
a processor; 

one or more stored sequences of instructions which, when executed by the processor, cause the 
processor to carry out the steps of: 

in a security controller that is coupled, through a network, to a network device; 
determining a user identifier associated with a -the network device that has caused a 

security event in a-the network; 
causing the network device to receive acquire a network address that is selected from a 

subset of addresses within a specified pool associated with suspected malicious 

network users; and 

configuring one or more security restrictions with respect to the selected network address. 

21. (Previously presented) A computer-readable medium as recited in Claim 18, further 
comprising instructions for performing the steps as recited in any of Claims 2, 3, 4, 5, 6, 
7, 8,9, 10, 11, 12, or 13. 
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22. (Previously presented) An apparatus as recited in Claim 19, further comprising means for 
performing the steps as recited in any of Claims 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, or 13. 

23. (Canceled) 

24. (Previously presented) A computer-readable medium carrying one or more sequences of 
instructions, which instructions, when executed by one or more processors, cause the one 
or more processors to cany out the steps as recited in any of Claims 14, 15, 16, or 17. 

25. (Previously presented) An apparatus comprising means for performing the functions 
recited in the steps of any of Claims 14, 15, 16, or 17. 

26. (Currently amended) An apparatus, comprising: 

a network interface that is coupled to a data network for receiving one or more packet 
flows therefrom; 
a processor; and 

one or more stored sequences of instructions which, when executed by the processor, 

cause the processor to cany out the steps as recited in any of Claims 1 4 , 15, 16, or 

in a security controller that is coupled, through a network, to a network device; 

receiving information identifying a security event in the network; 

correlating the security event information with network user information to result in 

determining a network user associated with the network device that caused the 

security event; 

placing the user in an elevated risk security group by causing the network device to 

acquire a new network address that is selected from a subset of addresses within a 
specified pool associated with suspected malicious network users; 

configuring one or more security restrictions with respect to the selected network address; 

determining whether a malicious act caused the security event; 
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if a malicious act caused the security event, then providing information about the security 



event or malicious act to a security decision controller; 
if a malicious act did not cause the security event, then removing the user from the 



elevated risk group . 



27. (New) The apparatus of claim 26, wherein the instructions for placing the user identifier 
in an elevated risk security group further comprise instructions which when executed 
cause forcing the user to acquire a new network address from a specified group of 
network addresses that is reserved for users associated with elevated user risk; 

28. (New) The apparatus of claim 27, wherein the instructions which when executed cause 
forcing the user to acquire a new network address comprise further instructions which 
when executed cause: 

re-configuring a dynamic host control protocol (DHCP) server to require said server to 
issue any new network address to the network device only from a specified group 
of network addresses that is reserved for users associated with elevated user risk; 

performing any one of the steps of: 

(e) resetting a port that is coupled to the network device to trigger the network device 
to request a new network address using DHCP; 

(f) issuing a DHCP FORCE_RENEW message to the network device; 

(g) prompting the network device to request a new network address using DHCP; 

(h) waiting for expiration of a lease for a current network address of the network 
device. 

29. (New) The apparatus of claim 26, wherein the instructions which when executed cause 
configuring one or more security restrictions comprise instructions which when executed 
cause: 

modifying an internet protocol (IP) access control list (ACL) associated with a port that is 
coupled to the network device to permit entry of IP traffic from only the selected 
network address; 

modifying a media access control (MAC) ACL associated with the port to permit entry of 
traffic only for a MAC address that is bound to the selected network address. 
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30. (New) The apparatus of claim 20, wherein the network device uses dynamic host control 
protocol (DHCP) to obtain the network address, and wherein the instructions which when 
executed cause the network device to receive a network address comprise instructions 
which when executed cause resetting a port that is coupled to the network device to 
prompt a user to command the network device to request a new network address using 
DHCP. 

31. (New) The apparatus of claim 20, wherein instructions which when executed cause the 
network device to receive a network address comprise instructions which when executed 
cause providing the network device with an IP address that is selected from a plurality of 
IP addresses within a special IP subnet. 
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